I want to do some rule profiling work with Suricata engine. I found so basically I would need to do as this describes to compile Suricata with enable-profiling and also enable it in the config yaml file. I’ve done both of them. Right now I tested with some pcap files but could not get the rule_profile log from there. However I could see the packet_profile file got generated. So I would like to get some helps.
I have 2 guesses.
- If running in IDS mode is a problem to get that
rule_profilingfile? - Does it need some real traffic instead of pcap files to get that profiling result?
I am assuming AF_packet and NF_queue mode should have no impact on this functionality.
Pasting my suricata.yaml below in case they are helpful.
# Run profiling for every xth packet. The default is 1, which means we
# profile every packet. If set to 1000, one packet is profiled for every
# 1000 received.
sample-rate: 1
# rule profiling
rules:
# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: yes
filename: rule.log
# Sort options: ticks, avgticks, checks, matches, maxticks
# If commented out all the sort options will be used.
#sort: avgticks
# Limit the number of sids for which stats are shown at exit (per sort).
limit: 10
# per keyword profiling
keywords:
enabled: no
filename: keyword_perf.log
append: yes
prefilter:
enabled: no
filename: prefilter_perf.log
append: yes
# per rulegroup profiling
rulegroups:
enabled: no
filename: rule_group_perf.log
append: yes
# packet profiling
packets:
# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: yes
filename: packet_stats.log
append: yes